As already mentioned in #17 the protocol is susceptible to replay attacks.
Possible solutions include timestamps and/or message counters. However neither timestamps nor message counters are a perfect solution.
Problems with timestamps: The protocol is asynchronous. Therefore clients do not receive messages within a given timeframe. This makes it impossible to define a timespan to check the validity of timestamps.
Problems with message counter: It is possible to detect a replay at at least one client with a message counter. However subgroups of users can still be tricked into accepting conflicting views of the encrypted files. For example: Suppose a shared folder between A, B, C and the current counter is 42 at all clients. A now updates a file and increases the counter to 43. The attacker blocks the propagation of message 43 to B and C. Next, B updates a file and also increases the counter to 43. The attacker forwards the message to C and blocks propagation to A. The clients B and C now have different files than A.
tobiasKaminsky
commented
5 years ago
As already mentioned in #17 the protocol is susceptible to replay attacks.
Possible solutions include timestamps and/or message counters. However neither timestamps nor message counters are a perfect solution.
Problems with timestamps: The protocol is asynchronous. Therefore clients do not receive messages within a given timeframe. This makes it impossible to define a timespan to check the validity of timestamps.
Problems with message counter: It is possible to detect a replay at at least one client with a message counter. However subgroups of users can still be tricked into accepting conflicting views of the encrypted files. For example: Suppose a shared folder between A, B, C and the current counter is 42 at all clients. A now updates a file and increases the counter to 43. The attacker blocks the propagation of message 43 to B and C. Next, B updates a file and also increases the counter to 43. The attacker forwards the message to C and blocks propagation to A. The clients B and C now have different files than A.